feat: prohibit SSH login with anything other than publickey and for certain users

2a52041a · Jörg Sachse · f26accad · 2a52041a
Commit 2a52041a authored 2 years ago by Jörg Sachse
--- a/tasks/configure_ssh_hardening.yml
+++ b/tasks/configure_ssh_hardening.yml
@@ -34,11 +34,11 @@
      PermitRootLogin no
      # PermitRootLogin forced-commands-only
      # AllowUsers root lza import
-      # DenyUsers slub
+      DenyUsers dps
      # DenyUsers import
      # AllowGroups example1 example2
      # DenyGroups example1 example2
-      # AuthenticationMethods any
+      AuthenticationMethods publickey
      LoginGraceTime 2m
      PermitEmptyPasswords no
      PrintLastLog yes
@@ -47,7 +47,7 @@
      ClientAliveCountMax 2
      MaxAuthTries 3
      TCPKeepAlive no
-      {{ "PasswordAuthentication no" if ansible_os_family == "Debian" else "PasswordAuthentication yes" }}
+      PasswordAuthentication no
      # disable weak host key algorithm ssh-dss (Digital Signature Algorithm (DSA) / Digital Signature Standard (DSS))
      # NVT OID: 1.3.6.1.4.1.25623.1.0.117687
      HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com